Nowadays, a Java malware, which is using various vulnerabilities in Java, is very widespread. Many of them are using string encryption to hide its presence and actions on an infected host. As a rule strings contain registry keys, some commands to execute various programs, etc.

In this article, we will examine the most widespread string encryption method in Java malware, and we will write a little tool for removing this encryption for the purposes of malicious software analysis.

Short introduction to Java class file bytecode format

For further understanding, it is necessary to know that all the constants in Java (strings and primitive types) to be stored in the special structure inside a class file which is called Constant Pool. To get an element from Constant Pool, there is the JVM instruction - ldc.

Jedi side

To write our automatic decryption tool we need ASM (http://asm.ow2.org/). The idea of our way: loading the class (which contain decrypt function), replacing encrypted strings to decrypted and cutting off an instruction which is call decrypt function from the bytecode.

Conclusion

Static string encryption doesn't bring us any protection. ASM is very powerful tool to manipulate with the bytecode. Guys, do not write malware, better found, maintain and help to open source projects. It will bring you so much fun (and profit), believe me!